How to Identify Malware in a Blink

When a new disease surfaces among humans or animals, the first thing we notice are the patterns of spread – not the structure of its DNA.

Let me use a few examples to explain what I mean. Take two random and unknown diseases, and say that you notice that almost everybody with the first disease was in contact with another infected person, while almost everybody with the second one ate spinach very recently. You already know something about how these two diseases’ patterns of spread, don’t you?

Take the first disease now. Everybody who got it became ill three to five days after the infected person they know became ill, and everybody who got it kissed somebody who also got it. You know something about the incubation time and the way the disease transmits now, right?

It may take months after people know how to minimize their risks of becoming infected before pharmaceutical companies have succeeded in understanding the structure of the virus or bacteria, and started to develop a cure.

Why do we treat malware epidemics like we were pharmaceutical companies?

To deal with malware epidemics, we build honey-pots, collect potentially malicious code, observe the code execute in sandboxes, and try to reverse-engineer the code. Why do we not simply observe how it spreads?

Time for some examples again. Say that we have inferred that some collection of machines is infected. (We may know because we observed anomalous or criminal behavior, or because we ran a software-based attestation method.)

Say that the infected devices are mostly in geographical proximity of each other. Could it be a Bluetooth virus? Or say that the device owners are unusually tightly connected over social networks. Maybe it spreads using email or MMS? Does the infection spread like wildfire? Maybe not a Trojan then! All infected devices run the same version of the same operating system. What does that tell us?

Once we have classified the problem, we are halfway there. We know where countermeasures need to be applied.

A Bluetooth virus needs a patch – but only for devices in the affected area. Malware propagated by MMS can be slowed down by filtering or delaying suspect messages. Trojans can be fought using cloud-based whitelisting and blacklisting methods. And if we know the operating system and version, we know something about the vulnerability.

The faster we can react to outbreaks, the better off we are. As the pace of malware evolution increases, we need to keep up. If we do not, we are asking for trouble.

Markus Jakobsson is a Principal Scientist at Palo Alto Research Center. He has previously been Principal Research Scientist at RSA Laboratories, Member of Technical Staff at Bell Labs, Associate Professor at Indiana University, and Adjunct Associate Professor at New York University. He holds a PhD in computer science from University of California at San Diego.